MSPs Should Fire Clients that Won’t Invest in Cyber Protection Services
Ransomware and other cyberthreats make under-protected clients a costly liability to MSPs.
October 11, 2021
Sponsored by Acronis
If you’re a managed service provider (MSP) in the business of providing IT services to small and medium businesses (SMBs), the threat of ransomware ranks high on your list of ongoing concerns. While massive ransomware attacks on large enterprises grab the biggest headlines, MSPs know that their smaller clients remain at the greatest risk: SMBs comprise 75% of all ransomware victims, according the U.S. Justice Department.
Consequently, most MSPs are busy trying to get their clients to subscribe to modern cybersecurity and data protection services–and well they should. Clients that don’t have basic cyber protection are a costly risk to MSPs for several reasons:
They’re expensive to support, being much more likely to suffer cyberattacks that their MSP will spend profit-draining days and weeks in containment and recovery operations.
Given the ability of many ransomware strains to spread beyond the initial target, they introduce increased cyber risk to every business in a client’s tech supply chain, including the MSP.
If the client carries cyber insurance, its carrier may try to recover ransomware attack damages from the MSP–even if the SMB’s failure to invest in adequate defenses led to the breach.
The pressure on MSPs to upgrade such clients to more robust cyber protection services is clearly increasing. Yet many SMBs are reluctant to incur even modest upgrade costs. Present your client with a proposal for a services tier that includes anti-ransomware defenses, and they’re likely to raise some typical objections:
“We thought we were already protected.” The client falsely hopes that a legacy antivirus solution that relies on signature matching to detect known malware is still adequate to counter the ransomware threat. (As every cybersecurity pro knows, it’s not–thanks in large part to the sheer volume of new iterations of ransomware that are generated daily, overwhelming signature-based defenses.)
“We’re too small; our data isn’t valuable enough to target.” The reality is that cybercriminals cast a very wide net these days. Many threats are automated, making it trivially easy to strike at SMBs. Attackers also know that even small businesses, faced with the prospect of staying offline for days or weeks from a ransomware attack, are likely to pay up. So-called double-extortion tactics, in which the attacker steals data before triggering the encryption attacks and threatens to leak it online if the ransom isn’t paid, further ratchet up the pressure.
“We have no budget for an upgrade.” This shortsighted notion ignores research from Cisco Systems that shows that one in five SMBs that suffer an attack will spend between $1 million to $2.5 million to recover from it. The contention that they can’t afford a modest increase in their monthly MSP charges to protect their business from an existential threat reflects a poor understanding of their risk environment.
In a world where cybercrime is spiraling upward–research firm Cybersecurity Ventures projects its global impact to reach $10.5T by 2025–MSPs should be increasingly reluctant to carry SMB clients that won’t make basic investments to reduce their cyber risk. Veteran MSP advisor Erick Simpson puts it in more blunt terms, encouraging MSPs to conduct what he calls “The Conversation,” in which the MSP gently lays out the case for why it’s no longer optional for the client to upgrade their cyber defenses–and seriously considers ending the relationship if the client refuses. Click on Page 2 to continue reading…
“Conducting ‘The Conversation’ with your under-protected clients can be awkward,” says Simpson, “but it’s critical in the current cyberthreat environment. It doesn’t take many ransomware attacks to drain your resources and profits to the point where you aren’t providing good service to your other clients. A few weakly protected clients can drive up your costs and lower overall client satisfaction, hurting your ability to win renewals. And we’re now seeing MSPs that have to fight cyber insurers to avoid paying damages from an attack that was clearly the client’s fault.”
Simpson offers the following advice to MSPs on how to conduct “The Conversation” with their SMB clients that currently have inadequate cyber protection:
Frame the upgrade not in terms of cybersecurity features and functions, but as a business necessity for both the SMB and the MSP to reduce their mutual risk and continue to grow profitably.
Educate the client on how ransomware and other cyberthreats have outgrown the capabilities of legacy countermeasures like signature-based antivirus.
Explain how their increased risk posture puts your other clients at risk–that responding to a successful attack on one client adversely affects your ability to protect and support all the others, which is unfair to clients that are paying for adequate defenses.
Set a date for them to upgrade their services, and explain that your business relationship with them cannot continue past that point if they can’t or won’t find the means to get onto at least your basic cyber protection services plan. Give them time to make the business case and find the budget internally, but set a deadline for action.
“No MSP wants to fire a client,” says Simpson, “But without adequate cyber protection, a few problem SMBs can drag down your business with unacceptably high support costs, cyber risk exposure and the threat of insurance recovery actions. It only takes one successful ransomware attack to cripple a client’s business, put a dent in yours and weaken your ability to protect the rest of your base. MSPs that hope to keep all of their clients safe while maintaining decent margins must learn how to conduct ‘The Conversation,’ and use it to nudge their under-protected clients to a tier of services where they’re no longer easy prey for cybercriminals.”
For a more detailed look at conducting “The Conversation,” watch the replay of Acronis’ recent webinar with Erick Simpson on the subject. It also includes the perspectives of an MSP owner who has had success upgrading his own clients to better cyber protection services using this approach.
James R. Slaby is the Director of Cyber Protection at Acronis. Previously, Slaby was an industry analyst covering cybersecurity, cloud computing, and networking at Forrester Research, HFS Research, Yankee Group and The Info Pro. He has also held solutions, vertical, product and campaign marketing roles at tech security and networking vendors including Sonus, Acme Packet, Bay Networks and Motorola.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like